SHA256
1
0
forked from pool/salt
salt/temporary-fix-extend-the-whitelist-of-allowed-comman.patch

223 lines
7.7 KiB
Diff
Raw Normal View History

From 7605781decd03cb493e09893aa60a5cdbed15d35 Mon Sep 17 00:00:00 2001
From: Bo Maryniuk <bo@suse.de>
Date: Thu, 24 Jan 2019 18:12:35 +0100
Subject: [PATCH] temporary fix: extend the whitelist of allowed
commands
---
salt/auth/__init__.py | 48 +++++++++++++++++++++----------------------
1 file changed, 24 insertions(+), 24 deletions(-)
diff --git a/salt/auth/__init__.py b/salt/auth/__init__.py
index c4cf163a67..ee1eac7ce4 100644
--- a/salt/auth/__init__.py
+++ b/salt/auth/__init__.py
@@ -1,4 +1,3 @@
-# -*- coding: utf-8 -*-
"""
Salt's pluggable authentication system
@@ -13,7 +12,6 @@ so that any external authentication system can be used inside of Salt
# 5. Cache auth token with relative data opts['token_dir']
# 6. Interface to verify tokens
-from __future__ import absolute_import, print_function, unicode_literals
import collections
import getpass
@@ -48,6 +46,8 @@ AUTH_INTERNAL_KEYWORDS = frozenset(
"gather_job_timeout",
"kwarg",
"match",
+ "id_",
+ "force",
"metadata",
"print_event",
"raw",
@@ -56,7 +56,7 @@ AUTH_INTERNAL_KEYWORDS = frozenset(
)
-class LoadAuth(object):
+class LoadAuth:
"""
Wrap the authentication system to handle peripheral components
"""
@@ -76,7 +76,7 @@ class LoadAuth(object):
"""
if "eauth" not in load:
return ""
- fstr = "{0}.auth".format(load["eauth"])
+ fstr = "{}.auth".format(load["eauth"])
if fstr not in self.auth:
return ""
try:
@@ -94,7 +94,7 @@ class LoadAuth(object):
"""
if "eauth" not in load:
return False
- fstr = "{0}.auth".format(load["eauth"])
+ fstr = "{}.auth".format(load["eauth"])
if fstr not in self.auth:
return False
# When making auth calls, only username, password, auth, and token
@@ -144,7 +144,7 @@ class LoadAuth(object):
mod = self.opts["eauth_acl_module"]
if not mod:
mod = load["eauth"]
- fstr = "{0}.acl".format(mod)
+ fstr = "{}.acl".format(mod)
if fstr not in self.auth:
return None
fcall = salt.utils.args.format_call(
@@ -163,7 +163,7 @@ class LoadAuth(object):
"""
if "eauth" not in load:
return auth_list
- fstr = "{0}.process_acl".format(load["eauth"])
+ fstr = "{}.process_acl".format(load["eauth"])
if fstr not in self.auth:
return auth_list
try:
@@ -179,7 +179,7 @@ class LoadAuth(object):
"""
if "eauth" not in load:
return False
- fstr = "{0}.groups".format(load["eauth"])
+ fstr = "{}.groups".format(load["eauth"])
if fstr not in self.auth:
return False
fcall = salt.utils.args.format_call(
@@ -237,7 +237,7 @@ class LoadAuth(object):
if groups:
tdata["groups"] = groups
- return self.tokens["{0}.mk_token".format(self.opts["eauth_tokens"])](
+ return self.tokens["{}.mk_token".format(self.opts["eauth_tokens"])](
self.opts, tdata
)
@@ -248,7 +248,7 @@ class LoadAuth(object):
"""
tdata = {}
try:
- tdata = self.tokens["{0}.get_token".format(self.opts["eauth_tokens"])](
+ tdata = self.tokens["{}.get_token".format(self.opts["eauth_tokens"])](
self.opts, tok
)
except salt.exceptions.SaltDeserializationError:
@@ -275,7 +275,7 @@ class LoadAuth(object):
"""
List all tokens in eauth_tokn storage.
"""
- return self.tokens["{0}.list_tokens".format(self.opts["eauth_tokens"])](
+ return self.tokens["{}.list_tokens".format(self.opts["eauth_tokens"])](
self.opts
)
@@ -283,7 +283,7 @@ class LoadAuth(object):
"""
Remove the given token from token storage.
"""
- self.tokens["{0}.rm_token".format(self.opts["eauth_tokens"])](self.opts, tok)
+ self.tokens["{}.rm_token".format(self.opts["eauth_tokens"])](self.opts, tok)
def authenticate_token(self, load):
"""
@@ -459,7 +459,7 @@ class LoadAuth(object):
ret["error"] = {
"name": "EauthAuthenticationError",
"message": 'Authentication failure of type "eauth" occurred for '
- "user {0}.".format(username),
+ "user {}.".format(username),
}
return ret
@@ -469,7 +469,7 @@ class LoadAuth(object):
msg = 'Authentication failure of type "user" occurred'
if not auth_ret: # auth_ret can be a boolean or the effective user id
if show_username:
- msg = "{0} for user {1}.".format(msg, username)
+ msg = "{} for user {}.".format(msg, username)
ret["error"] = {"name": "UserAuthenticationError", "message": msg}
return ret
@@ -501,7 +501,7 @@ class LoadAuth(object):
return ret
-class Resolver(object):
+class Resolver:
"""
The class used to resolve options for the command line and for generic
interactive interfaces
@@ -514,7 +514,7 @@ class Resolver(object):
def _send_token_request(self, load):
master_uri = "tcp://{}:{}".format(
salt.utils.zeromq.ip_bracket(self.opts["interface"]),
- six.text_type(self.opts["ret_port"]),
+ str(self.opts["ret_port"]),
)
with salt.transport.client.ReqChannel.factory(
self.opts, crypt="clear", master_uri=master_uri
@@ -530,16 +530,16 @@ class Resolver(object):
if not eauth:
print("External authentication system has not been specified")
return ret
- fstr = "{0}.auth".format(eauth)
+ fstr = "{}.auth".format(eauth)
if fstr not in self.auth:
print(
(
- 'The specified external authentication system "{0}" is '
+ 'The specified external authentication system "{}" is '
"not available"
).format(eauth)
)
print(
- "Available eauth types: {0}".format(
+ "Available eauth types: {}".format(
", ".join([k[:-5] for k in self.auth if k.endswith(".auth")])
)
)
@@ -550,14 +550,14 @@ class Resolver(object):
if arg in self.opts:
ret[arg] = self.opts[arg]
elif arg.startswith("pass"):
- ret[arg] = getpass.getpass("{0}: ".format(arg))
+ ret[arg] = getpass.getpass("{}: ".format(arg))
else:
- ret[arg] = input("{0}: ".format(arg))
+ ret[arg] = input("{}: ".format(arg))
for kwarg, default in list(args["kwargs"].items()):
if kwarg in self.opts:
ret["kwarg"] = self.opts[kwarg]
else:
- ret[kwarg] = input("{0} [{1}]: ".format(kwarg, default))
+ ret[kwarg] = input("{} [{}]: ".format(kwarg, default))
# Use current user if empty
if "username" in ret and not ret["username"]:
@@ -579,7 +579,7 @@ class Resolver(object):
with salt.utils.files.set_umask(0o177):
with salt.utils.files.fopen(self.opts["token_file"], "w+") as fp_:
fp_.write(tdata["token"])
- except (IOError, OSError):
+ except OSError:
pass
return tdata
@@ -602,7 +602,7 @@ class Resolver(object):
return tdata
-class AuthUser(object):
+class AuthUser:
"""
Represents a user requesting authentication to the salt master
"""
--
2.29.2